locked
Communicator Web Access Single Sign On RRS feed

  • Question

  • I'm about to throw in the towel on this one. I've followed the CWA lab setup for deploying SSO through ISA to a T and it flat out doesn't work. The setup:

    2 CWA Virtual Servers: CWA Internal and CWA External

    CWA Internal works fine internally using both integrated and forms-based authentication.

    CWA External works fine using forms-based authentication if I publish the port through ISA. I can then access CWA successfully externally and get the forms-based auth screen and log in successfully. This rules out routing, DNS, etc. I can reach it externally just fine. Certificates are all in order. The issue I'm having is really just with SSO.

    If I change that CWA External virtual server (or just create a new one) to custom authentication for use with the SSO feature it gets close to working. When I try externally what I get is the ISA authentication form. That's good. It's successfully contacting the DC because if I enter improper credentials ISA comes back and denies me. Also good. If I enter valid credentials ISA processes for about 20 seconds and then comes back with an error page that shows 403 Forbidden error. And that's my problem.

    I imagine this has something to do with an IIS permission in the CWA virtual folders, but no idea which one.

    I ran some logging on the CWA server and got the log at the bottom of the post. If you look, it appears the SSO succeeds because I see "SSO/quicklogon logon succeeeded and request was forwarded", but a few lines later I see 401 Access Denied, along with an attempt to login via NTLM. The guide states to tell ISA to use Basic Authentication on the rule so is there a mixup somewhere?

    If I change ISA to use NTLM, ISA itself will come back immediately with "You do not have the permissions required to access this Web site".

    Any suggestions? Has anyone gotten this to work successfully yet?


    Code Block

    TL_INFO(TF_COMPONENT) [0]05C0.038C::01/09/2008-18:51:45.399.0000006f (CWAAuth,CRequestState::Attach:112.idx(144))( 000FD4C0 ) SF_NOTIFY_PREPROC_HEADERS event: CRequestState::Attach called. URL: /
    TL_INFO(TF_COMPONENT) [0]05C0.038C::01/09/2008-18:51:45.399.00000070 (CWAAuth,PreProcessHeaders:125.idx(136))PreProcessHeaders - Connection ID# 10
    TL_INFO(TF_COMPONENT) [0]05C0.038C::01/09/2008-18:51:45.399.00000071 (CWAAuth,CRequestState::DetermineRequestType:112.idx(311))( 000FD4C0 ) CRequestState::DetermineRequestType - Request Type: 0
    TL_INFO(TF_COMPONENT) [0]05C0.038C::01/09/2008-18:51:45.399.00000072 (CWAAuth,CRouteIncoming::Route:1100.idx(85))( 00F3F7D4 ) RouteRequest- Request routed: /sso/sso.aspx
    TL_INFO(TF_COMPONENT) [0]05C0.038C::01/09/2008-18:51:45.524.00000073 (CWAAuth,HttpExtensionProc:1236.idx(50))ISAPI export HttpExtensionProc called.
    TL_INFO(TF_COMPONENT) [0]05C0.038C::01/09/2008-18:51:45.524.00000074 (CWAAuth,CIO_Context::CIO_Context:285.idx(882))( 000E0E10 ) CIO_Context::CIO_Context - Local computer name: TAP-OCS-CWA
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000075 (CWAAuth,CIO_Context::HseProcessRequest:285.idx(1679))HseProcessRequest called.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000076 (CWAAuth,CIO_Context::ValidateSignOn:285.idx(1279))( 000E0E10 ) ValidateSignOn - Begin validate.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000077 (CWAAuth,CIO_Context::ValidateSignOn:285.idx(1343))( 000E0E10 ) ValidateSignOn - Auth type: 512 Method: GET
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000078 (CWAAuth,CADAuthz::AuthorizeUser:835.idx(219))( 01B34080 ) CADAuthz::AuthorizeUser entered - URI: NULL
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000079 (CWAAuth,CADAuthz::InternalAuthorize:835.idx(348))( 01B34080 ) CADAuthz::InternalAuthorize - URI: NULL SID: S-1-5-21-1744402294-1360516214-864509452-500
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000007a (CWAAuth,CLDAPBindManager::AcquireCachedBind:835.idx(1944))( 000B5BF0 ) CLDAPBindManager::AcquireCachedBind - entered for : 0.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000007c (CWAAuth,CLDAPBindManager::AcquireCachedBind:835.idx(1969))( 000B5BF0 ) CLDAPBindManager::AcquireCachedBind - cached bind was acquired.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000007e (CWAAuth,CLDAPBindManager::CLDAPBind::QueryUserInternal:835.idx(2541))( 000EFB50 ) CLDAPBind::QueryUserInternal - search filter: (&(|(objectCategory=user)(objectCategory=contact)(objectCategory=interOrgPerson))(|(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\76\77\F9\67\76\D4\17\51\0C\5E\87\33\F4\01\00\00)(msRTCSIP-OriginatorSid=\01\05\00\00\00\00\00\05\15\00\00\00\76\77\F9\67\76\D4\17\51\0C\5E\87\33\F4\01\00\00)))
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000007f (CWAAuth,CLDAPBindManager::CLDAPBind::QueryUserInternal:835.idx(2543))( 000EFB50 ) CLDAPBind::QueryUserInternal - begin ldap_search_sW: (&(|(objectCategory=user)(objectCategory=contact)(objectCategory=interOrgPerson))(|(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\76\77\F9\67\76\D4\17\51\0C\5E\87\33\F4\01\00\00)(msRTCSIP-OriginatorSid=\01\05\00\00\00\00\00\05\15\00\00\00\76\77\F9\67\76\D4\17\51\0C\5E\87\33\F4\01\00\00)))
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000080 (CWAAuth,CLDAPBindManager::CLDAPBind::QueryUserInternal:835.idx(2554))( 000EFB50 ) CLDAPBind::QueryUserInternal - end ldap_search_sW: (&(|(objectCategory=user)(objectCategory=contact)(objectCategory=interOrgPerson))(|(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\76\77\F9\67\76\D4\17\51\0C\5E\87\33\F4\01\00\00)(msRTCSIP-OriginatorSid=\01\05\00\00\00\00\00\05\15\00\00\00\76\77\F9\67\76\D4\17\51\0C\5E\87\33\F4\01\00\00)))
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000081 (CWAAuth,CLDAPBindManager::CLDAPBind::QueryUserInternal:835.idx(2600))( 000EFB50 ) CLDAPBind::QueryUserInternal - Query successful.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000082 (CWAAuth,CLDAPQueryContext::GetUserDN:835.idx(523))( 023B19D8 ) CLDAPQueryContext::GetUserDN - begin ldap_get_dnW: NULL
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000083 (CWAAuth,CLDAPQueryContext::GetUserDN:835.idx(527))( 023B19D8 ) CLDAPQueryContext::GetUserDN - end ldap_get_dnW: NULL
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000084 (CWAAuth,CLDAPBindManager::AcquireCachedBind:835.idx(1944))( 000B5BF0 ) CLDAPBindManager::AcquireCachedBind - entered for : 2.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000086 (CWAAuth,CLDAPBindManager::AcquireCachedBind:835.idx(1969))( 000B5BF0 ) CLDAPBindManager::AcquireCachedBind - cached bind was acquired.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000088 (CWAAuth,CLDAPBindManager::CLDAPBind::QueryUserByDN:835.idx(2499))( 000EFC50 ) CLDAPBind::QueryUserByDN entered - DN: CN=Administrator,CN=Users,DC=ptown,DC=com
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000089 (CWAAuth,CLDAPBindManager::CLDAPBind::QueryUserInternal:835.idx(2541))( 000EFC50 ) CLDAPBind::QueryUserInternal - search filter: NULL
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000008a (CWAAuth,CLDAPBindManager::CLDAPBind::QueryUserInternal:835.idx(2543))( 000EFC50 ) CLDAPBind::QueryUserInternal - begin ldap_search_sW: NULL
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000008b (CWAAuth,CLDAPBindManager::CLDAPBind::QueryUserInternal:835.idx(2554))( 000EFC50 ) CLDAPBind::QueryUserInternal - end ldap_search_sW: NULL
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000008c (CWAAuth,CLDAPBindManager::CLDAPBind::QueryUserInternal:835.idx(2600))( 000EFC50 ) CLDAPBind::QueryUserInternal - Query successful.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000008d (CWAAuth,CLDAPQueryContext::CheckAttributes:835.idx(631))( 023B19D8 ) CLDAPQueryContext::CheckAttributes - entered for user sid: S-1-5-21-1744402294-1360516214-864509452-500.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000008e (CWAAuth,CLDAPQueryContext::CheckAttributes:835.idx(669))( 023B19D8 ) CLDAPQueryContext::CheckAttributes - URI: sip:Administrator@confusedamused.com HomePoolDN: CN=LC Services,CN=Microsoft,CN=TAP-OCS-2K7,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=ptown,DC=com UserEnabled: TRUE InternetAccess: TRUE IsDeleted: <NULL>
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000008f (CWAAuth,CLDAPQueryContext::CheckAttributes:835.idx(817))( 023B19D8 ) CLDAPQueryContext::CheckAttributes - Phone info - Work: NULL Home: NULL, Mobile: NULL, Other: NULL OtherHome NULL OtherMobile NULL
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000090 (CWAAuth,CADAuthz::InternalAuthorize:835.idx(414))( 01B34080 ) CADAuthz::AuthorizeUser - URI: NULL UserSID: S-1-5-21-1744402294-1360516214-864509452-500 Authorized: Yes
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000091 (CWAAuth,CLDAPPoolManager::FindServer:835.idx(1274))( 0010FC08 ) CLDAPPoolManager::FindServer entered -  HomeServer DN: CN=LC Services,CN=Microsoft,CN=TAP-OCS-2K7,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=ptown,DC=com
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000092 (CWAAuth,CLDAPPoolManager::SearchCacheForHomeServerPool:835.idx(1461))( 0010FC08 ) CLDAPPoolManager::SearchCacheForHomeServerPool - entered.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000095 (CWAAuth,CLDAPPoolManager::SearchCacheForHomeServerPool:835.idx(1498))( 0010FC08 ) CLDAPPoolManager::SearchCacheForHomeServerPool - HomeServer tap-ocs-2k7.ptown.com found in cache.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000096 (CWAAuth,CADAuthz::AuthorizeUser:835.idx(285))( 01B34080 ) CADAuthz::AuthorizeUser succeeded - HomeServer: tap-ocs-2k7.ptown.com URI: Administrator@confusedamused.com
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000097 (CWAAuth,CIO_Context::HseProcessRequest:285.idx(1852))HseProcessRequest - Auth/Authz succeeded.
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000098 (CWAAuth,EncodeTicket:999.idx(82))EncodeTicket -  URI = Administrator@confusedamused.com HomeServer = tap-ocs-2k7.ptown.com
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.00000099 (CWAAuth,CIO_Context::HseProcessRequest:285.idx(2061))HseProcessRequest - session ticket: 59|10|74caf117-aa79-4f97-996c-c4c292776245|QWRtaW5pc3RyYXRvckBjb25mdXNlZGFtdXNlZC5jb218dGFwLW9jcy0yazcucHRvd24uY29t|6mdpbP1U7sCx1APlLen7e5bhvWZRgDZK1kHHN5U=
    TL_INFO(TF_COMPONENT) [0]05C0.0EC8::01/09/2008-18:51:45.524.0000009a (CWAAuth,CIO_Context::HseProcessRequest:285.idx(2272))HseProcessRequest - SSO/quicklogon logon succeeded and request was forwarded.Response body: <sso>
      <ticket>59|10|74caf117-aa79-4f97-996c-c4c292776245|QWRtaW5pc3RyYXRvckBjb25mdXNlZGFtdXNlZC5jb218dGFwLW9jcy0yazcucHRvd24uY29t|6mdpbP1U7sCx1APlLen7e5bhvWZRgDZK1kHHN5U=</ticket>
      <uri>Administrator@confusedamused.com</uri>
      <signInData>PHNpZ25JbkRhdGE+DQogIDx3b3JrUGhvbmU+PC93b3JrUGhvbmU+DQogIDxob21lUGhvbmU+PC9ob21lUGhvbmU+DQogIDxtb2JpbGVQaG9uZT48L21vYmlsZVBob25lPg0KICA8b3RoZXJQaG9uZT48L290aGVyUGhvbmU+DQogIDxvZmZpY2U+PC9vZmZpY2U+DQogIDxjb21wYW55PjwvY29tcGFueT4NCiAgPHRpdGxlPjwvdGl0bGU+DQo8L3NpZ25JbkRhdGE+DQo=</signInData>
    </sso>
    TL_INFO(TF_COMPONENT) [0]05C0.0C44::01/09/2008-18:51:45.587.0000009b (CWAAuth,SendResponse:125.idx(610))NOTIFY_SEND_RESPONSE event: SendResponse called. HttpStatus: 500 ConnectionID 10
    TL_INFO(TF_COMPONENT) [0]05C0.0C44::01/09/2008-18:51:45.587.0000009c (CWAAuth,SendResponse:125.idx(666))SendResponse - 500 error received during auth - ResponseType: 2
    TL_INFO(TF_COMPONENT) [0]05C0.0C44::01/09/2008-18:51:45.587.0000009d (CWAAuth,SendRawData:125.idx(785))SF_NOTIFY_SEND_RAW_DATA event: SendRawData called.
    TL_INFO(TF_COMPONENT) [0]05C0.0C44::01/09/2008-18:51:45.587.0000009e (CWAAuth,SendRawData:125.idx(811))SendRawData - ResponseType: 2
    TL_INFO(TF_COMPONENT) [0]05C0.0C44::01/09/2008-18:51:45.587.0000009f (CWAAuth,SendRawData:125.idx(891))SendRawData - custom response: HTTP/1.1 401 Access Denied
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
    Content-Length: 0





    Wednesday, January 9, 2008 7:14 PM

All replies

  • I forgot to mention that after each failed login attempt I see this error on ISA (workgroup member)

    "ISA Server tried to delegate credentials, but the web site does not accept the credentials provided by the authentication delegation scheme configured in the web publishing rule. Verify that the credentials delegation scheme configure in the web publishing rules matches an authentication protocol enabled on the published web site."
    Wednesday, January 9, 2008 9:50 PM
  • I haven't worked with ISA much but have seen a similar problem in IIS. Usually when the client is trying to use Kerberos rather than NTLM. You can change the IIS website to only accept NTLM request and see if that helps with the command cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
    Thursday, January 10, 2008 10:34 AM
  • Nope, no luck. Even after I set that for the external site in IIS I'm still seeing a Negotiate challenge in the logs, even after restarts. If I run a get NTAuthenticationProviders on the site it returns just NTLM, so is something else within the CWA app calling for the Kerberos authentication?

    Tried setting the SPN on the CWA server for the CWAService on the external address. No dice. 401 unauthorized on the CWA server logs each time and ISA spits back the 403 forbidden to the user.
    Friday, January 11, 2008 12:44 AM
  • Bugger. I think some of the OCS websites of load all the authentication to the dotnet framework and bypass IIS... though not 100% sure. If it is trying to use Kerberos you can set this registry key (http://support.microsoft.com/?id=262177) to view the Kerberos events in eventvwr. If it is trying to use Kerberos and the ISA is in a different domain/workgroup as the IIS server the tokens will fail.
    Friday, January 11, 2008 9:24 AM
  • For what it's worth, I rebuilt ISA as a domain member and put CWA on a different machine and all is well. I still don't know why it was failing before, but the guide does work.
    Monday, April 21, 2008 6:14 PM
  • Tom,

     

    What exact version of ISA have you been using? I used to have problems as well with ISA to configure it as a reverse proxy in combination with certificates. Problems were also resolved after I was reinstalling it.

     

    At the moment I'm using version 50.5720.100 and so far everything is working fine (I have not configered CWA and SSO yet).

     

    Cheers,

     

    /Thomas 

     

    Tuesday, November 11, 2008 10:37 AM